I guess you mean user logs into a node you're monitoring (not logging into the FreeNATS interface)?

If that is the case (node login) then probably not. There are a couple of ways it could be technically accomplished; a log scan, a login script updating a tmp file, a continuous process monitoring connections etc but none of these would be all that reliable, portable or integrate easily into FreeNATS.

To trap "normal" login events (i.e. users opening proper sessions as root - authorised or not!) then there are a number of tools available - as a first thought I'd consider a script built around logwatch that ran pretty often. Obviously if you want to catch more nefarious l33t h4ck3r5 then you need something a bit more heavyweight that monitors processes etc.